www.toddpigram.com
Open in
urlscan Pro
2a00:1450:4001:803::2013
Public Scan
URL:
https://www.toddpigram.com/
Submission Tags: falconsandbox
Submission: On August 05 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On August 05 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
CLOUDY JOURNEY
Posts on Security, Cloud, DevOps, Citrix, VMware and others. Words and views are
my own and do not reflect on my companies views. Disclaimer: some of the links
on this site are affiliate links, if you click on them and make a purchase, I
make a commission.
PAGES
* Home
* Certifications Progress
* Completed Independent Training
* Recommended Books
* Workout Blog
* Food Journal
MONDAY, AUGUST 5, 2024
INTRODUCING CITRIX WORKSPACE APP WIDGETS FOR MACOS!
In today’s fast-paced digital landscape, efficiency is key. Users are constantly
seeking ways to streamline their workflows and access their favorite resources
and applications with minimal effort. It is cumbersome to navigate through
multiple screens just to access the tools you need. Convenience has become a
priority, and Citrix is here to deliver for our end users.
We are excited to introduce Citrix Workspace app Widgets for macOS Sonoma. This
latest innovation is designed to enhance your user experience and productivity.
Apple has introduced a new feature with macOS Sonoma that changes the way you
interact with your Widgets. No more endless navigation through screens; now you
can launch your preferred Citrix resources directly from your desktop.
WHAT ARE WIDGETS?
So, what exactly are Widgets? Think of them as mini-applications that give you
quick access to specific functions or information without opening the full
application. With macOS Sonoma, you can add Citrix Workspace app Widgets
directly onto your desktop, offering instant access to your favorite desktops
and applications.
If you’re using macOS 13 or below, you can still benefit from Citrix Workspace
app Widgets through the notification slider, providing quick and convenient
access from the macOS menu bar.
THE POWER OF WIDGETS
With macOS Sonoma, you have what you need right at your fingertips. Instead of
navigating through multiple screens or launching the full Citrix Workspace
application, you can simply click on the Citrix Widget on your desktop and
instantly access the resource. This approach saves you time, clicks, and lets
you hit the ground running with your resources right from your home screen.
If you primarily use one desktop, Citrix Workspace app offers a small widget.
This compact widget shows your favorite single desktop, keeping things simple
and accessible.
If you’re juggling multiple resources, there’s a large widget that can hold up
to six favorite desktops and apps, providing easy access to everything you need
in one place.
Adding widgets on macOS Sonoma is straightforward. Just right-click on your
desktop, choose “Edit Widgets,” find the Citrix Workspace app Widget you want,
and drag it onto your desktop. It’s that simple!
LEARN MORE!
With Citrix Workspace Widgets, your workflow becomes more efficient, and
accessing your essential resources is easier than ever.
To learn more about how to leverage Citrix Workspace app Widgets or other new
features, check out our product documentation.
from Citrix Blogs https://ift.tt/uCk2GLU
via IFTTT
Posted by Pigram86 at 12:45 PM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
HCP PACKER NOW TRACKS CI/CD PIPELINE METADATA
We are excited to announce the addition of pipeline metadata tracking, now
available in HCP Packer. HCP Packer is a powerful tool that provides image
lifecycle management at scale across any cloud and on-premises environments.
With this addition, users can now track which CI/CD tools were used in the
image-building process through integrations with GitHub and GitLab. This
enhancement helps lay the foundation for a secure build pipeline and grants HCP
Packer level 1 compliance with SLSA (Supply-Chain Levels for Software
Artifacts).
ARTIFACT PROVENANCE CHALLENGES
As the security demands on the software supply chain grow, organizations
recognize the need for provenance of their base images and build artifacts.
Artifact provenance includes verifiable information about the creation and
configuration of image builds. Without a clear lineage of where, how, and by
whom each artifact was built, it can be difficult to verify an artifact's
legitimacy and compliance. Organizations must ensure they employ only trusted
artifacts, validated at each stage of their lifecycle, to maintain the integrity
and security of their software.
IMPROVING BUILD VISIBILITY
HCP Packer now provides the ability to track pipeline metadata in the artifact
registry. This includes critical CI/CD information such as pipeline IDs, job
names, details on the operating system, VCS commits, and more. For a full list
of the details captured, please refer to the build pipeline metadata reference.
This addition grants HCP Packer level 1 SLSA compliance by providing a basic
level of source code identification that can help organizations make risk-based
security decisions. With this visibility, organizations can shift their security
left and address risks earlier in the infrastructure deployment process.
Pipeline metadata tracking builds on our initiative to enhance metadata
visibility within HCP Packer, with recent additions including Packer version and
plugin version tracking. It marks another step towards complete artifact
provenance to help organizations gain full visibility into their images and keep
their build pipelines secure.
LEARN MORE
To learn more about pipeline metadata in HCP Packer, please refer to the build
pipeline metadata documentation and the Automate Packer with GitHub Actions
tutorial.
Get started with HCP Packer for free to track and manage artifacts across all
your cloud environments.
from HashiCorp Blog https://ift.tt/8Ph7MX1
via IFTTT
Posted by Pigram86 at 12:15 PM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
THE LOPER BRIGHT DECISION: HOW IT IMPACTS CYBERSECURITY LAW
Aug 05, 2024The Hacker NewsCybersecurity Law / Data Privacy
The Loper Bright decision has yielded impactful results: the Supreme Court has
overturned forty years of administrative law, leading to potential litigation
over the interpretation of ambiguous laws previously decided by federal
agencies. This article explores key questions for cybersecurity professionals
and leaders as we enter a more contentious period of cybersecurity law.
BACKGROUND
WHAT IS THE LOPER BRIGHT DECISION?
The Loper Bright decision by the U.S. Supreme Court overruled the Chevron
deference, stating that courts, not agencies, will decide all relevant questions
of law arising on review of agency action. The Court held that because the
Administrative Procedure Act (APA)'s text is clear, agency interpretations of
statutes are not entitled to deference. The ruling emphasized that courts must
exercise independent judgment in deciding whether an agency has acted within its
statutory authority. This decision shifts the power of statutory interpretation
from federal agencies to the judiciary.
WHAT WAS THE CHEVRON DEFERENCE?
The Chevron deference required courts to defer to federal agencies' reasonable
interpretations of ambiguous statutes. It originated from the 1984 Supreme Court
case Chevron U.S.A., Inc. v. Natural Resources Defense Council. Under Chevron,
if a statute was ambiguous, courts would defer to the agency's interpretation if
it was reasonable. This deference shaped administrative law for nearly 40 years.
WHAT IMMEDIATE STEPS SHOULD COMPANIES CONSIDER TAKING NOW TO ENSURE COMPLIANCE
WITH CYBERSECURITY REGULATIONS THAT MIGHT BE CHALLENGED IN COURT?
Nothing has changed, yet. However, to ensure compliance with cybersecurity
regulations that might now be challenged in court, companies should:
* Assess existing cybersecurity requirements to ensure they align with current
regulations that are supported by clear statutory authority.
* Stay updated on court rulings and regulatory changes. The removal of Chevron
deference means courts will scrutinize agency interpretations more closely.
* Be prepared to update compliance programs if regulatory or legal requirements
change as a result of jurisprudence.
* Work with legal experts to navigate the evolving regulatory landscape.
Effective cybersecurity controls are deployed when they are mapped to one or
more agreed-upon risks, which can include regulatory or legal requirements as
well as external threats. Companies should consider updating or removing
controls in light of any future jurisprudence based on Loper Bright only if
those controls exclusively existed for regulatory purposes and did not mitigate
additional risks. Companies should ensure that their controls have clear
traceability to requirements so that they can quickly assess the effects of any
future regulatory changes.
HOW WILL THE LOPER BRIGHT DECISION IMPACT THE ENFORCEMENT OF EXISTING
CYBERSECURITY REGULATIONS UNDER THE FTC, SEC, AND OTHERS?
The Loper Bright decision will likely make cybersecurity regulations more
vulnerable to legal challenges. Courts will no longer defer to agency
interpretations of ambiguous statutes and will exercise their independent
judgment. This shift may lead to more frequent legal challenges, increased
scrutiny of regulations, and delays. A partial list of agencies that may be
affected by litigation post-Loper Bright follows:
* FTC: Recent FTC rulemaking under Section 5 includes the Health Breach
Notification Rule and proposed changes to the Children's Online Privacy
Protection rule could be challenged.
* SEC: The Securities and Exchange Acts of 1933 and 1934 do not mention
cybersecurity, which could result in a challenge to the SEC's requirement of
cybersecurity disclosures within four days of determining materiality.
* GLBA: Regulators have recently expanded their rules with a range of cyber
incident reporting requirements for financial institutions
* TSA: TSA's emergency amendments in 2022 for cybersecurity requirements for
passenger and freight railroad carriers, as well as airport and aircraft
operators, may be challenged.
* CISA: The Cybersecurity Infrastructure and Security Agency's (CISA) proposed
rule for implementing the Cyber Incident Reporting for Critical
Infrastructure Act of 2022, which has broad interpretations and could be
contested under new judicial scrutiny.
HOW COULD THE LOPER BRIGHT DECISION AFFECT THE CONSISTENCY OF CYBERSECURITY
REGULATIONS AND ENFORCEMENT ACROSS DIFFERENT JURISDICTIONS?
The Loper Bright decision may impact the consistency of cybersecurity
regulations and enforcement across different jurisdictions. By eliminating the
Chevron deference, courts now have more ability to interpret statutes
independently, which could lead to varied interpretations and applications of
cybersecurity laws. This inconsistency might force businesses to adapt their
compliance programs more frequently due to varying interpretations across
jurisdictions.
HOW WILL THE REMOVAL OF THE CHEVRON DEFERENCE POTENTIALLY INFLUENCE THE
DEVELOPMENT OF FUTURE CYBERSECURITY REGULATIONS?
The removal of the Chevron deference will likely create a more fragmented and
inconsistent regulatory environment for cybersecurity. Federal agencies will
need to provide more compelling justifications and details for their rulemaking
decisions. This shift may lead to increased judicial scrutiny of existing
regulations and proposed rules, making it harder for agencies like the FTC and
CISA to quickly adapt to new threats.
Courts will consider the persuasive power of agency interpretations, giving
weight to their expertise only if it is especially informative and based on
thorough, consistent reasoning. This shift is likely to result in increased
legal challenges to existing cybersecurity regulations and new rulemakings,
complicating compliance efforts.
WHAT ROLE MAY JUDICIAL INTERPRETATION PLAY IN DEFINING THE SCOPE OF
CYBERSECURITY REGULATIONS POST-LOPER BRIGHT?
Judicial interpretation will play a significant role in defining the scope of
cybersecurity regulations post-Loper Bright. Courts will independently assess
the statutory authority of agencies, leading to potentially more fragmented and
inconsistent regulatory environments. This change necessitates a reevaluation of
regulatory compliance and advocacy approaches.
Ultimately, the decision underscores the need for Congress to provide clearer
statutory guidance for cybersecurity regulations to withstand judicial review.
Found this article interesting? This article is a contributed piece from one of
our valued partners. Follow us on Twitter and LinkedIn to read more exclusive
content we post.
from The Hacker News https://ift.tt/tP0RUad
via IFTTT
Posted by Pigram86 at 7:55 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
ENHANCING INCIDENT RESPONSE READINESS WITH WAZUH
Incident response is a structured approach to managing and addressing security
breaches or cyber-attacks. Security teams must overcome challenges such as
timely detection, comprehensive data collection, and coordinated actions to
enhance readiness. Improving these areas ensures a swift and effective response,
minimizing damage and restoring normal operations quickly.
CHALLENGES IN INCIDENT RESPONSE
Incident response presents several challenges that must be addressed to ensure a
swift and effective recovery from cyber attacks. The following section lists
some of these challenges.
* Timeliness: One of the primary challenges in incident response is addressing
incidents quickly enough to minimize damage. Delays in response can lead to
more compromises and increased recovery costs.
* Information correlation: Security teams often struggle to effectively collect
and correlate relevant data. Without a comprehensive view, understanding the
full scope and impact of the incident becomes difficult.
* Coordination and communication: Incident response requires coordination
amongst various parties, including technical teams, management, and external
partners. Poor communication can lead to confusion and ineffective responses.
* Resource constraints: Many organizations operate with limited security
resources. Understaffed teams may find it challenging to handle multiple
incidents simultaneously, leading to prioritization issues and potential
oversight.
STAGES OF INCIDENT RESPONSE
* Preparation involves creating an incident response plan, training teams, and
setting up the right tools to detect and respond to threats.
* Identification is the next critical step. It relies on effective monitoring
for quick and accurate alerting of suspicious activities.
* Containment uses immediate actions to limit the spread of the incident. This
includes short-term efforts to isolate the breach and long-term strategies to
secure the system before it becomes fully operational.
* Eradication involves addressing the root causes of the incident. This
includes removing malware and fixing exploited vulnerabilities.
* Recovery entails restoring systems and closely monitoring them to ensure they
are clean and functioning properly post-incident.
* Lessons learned involve reviewing the incident and the response to it. This
step is vital for improving future responses.
HOW WAZUH ENHANCES INCIDENT RESPONSE READINESS
Wazuh is an open source platform that offers unified security information and
event management (SIEM) and extended detection and response (XDR) capabilities
across workloads in cloud and on-premises environments. Wazuh performs log data
analysis, file integrity monitoring, threat detection, real-time alerting, and
automated incident response. The section below shows some ways Wazuh improves
incident response.
AUTOMATED INCIDENT RESPONSE
The Wazuh active response module triggers actions in response to specific events
on monitored endpoints. When an alert meets specific criteria, such as a
particular rule ID, severity level, or rule group, the module initiates
predefined actions to address the incident. Security administrators can
configure automated actions to respond to specific security incidents.
Implementing active response scripts in Wazuh involves defining commands and
configuring responses. This ensures that scripts execute under the right
conditions, helping organizations tailor their incident response to their unique
security needs. A general overview of the implementation process can be:
* Command definition: Define the command in the Wazuh manager configuration
file, specifying the script's location and necessary parameters. For example:
<command> <name>quarantine-host</name> <executable>quarantine_host.sh</executable> <expect>srcip</expect>
</command>
* Active response configuration: Configure the active response to determine
execution conditions, associating the command with specific rules and setting
execution parameters. For example:
<active-response> <command>quarantine-host</command> <location>any</location> <level>10</level> <timeout>600</timeout>
</active-response>
* Rule association: The custom active response will be linked to specific rules
in the Wazuh ruleset to ensure the script runs when relevant alerts are
triggered.
This implementation process allows security teams to automate responses
efficiently and customize their incident response strategies.
DEFAULT SECURITY ACTIONS
Wazuh active response automatically executes some specific actions in response
to certain security alerts by default, on both Windows and Linux endpoints.
These actions include but are not limited to:
BLOCKING A KNOWN MALICIOUS ACTOR
Wazuh can block known malicious actors by adding their IP addresses to a deny
list as soon as an alert triggers. This active response ensures malicious actors
are quickly disconnected from their target systems or networks.
The process typically involves continuously monitoring log data and network
traffic to detect compromise or anomalous behavior. Wazuh predefined rules
trigger an alert when suspicious activity is identified. The Wazuh active
response module executes a script to update firewall rules or network access
control lists, blocking the malicious IP address. A response action is logged,
and notifications are sent to security personnel for further investigation.
This use case utilizes a public IP reputation database such as the Alienvault IP
reputation database or AbuseIPDB containing IP addresses flagged as malicious to
identify and block known threats. The image below illustrates identifying and
blocking a malicious IP address based on IP reputation database.
MALWARE DETECTION AND REMOVAL WITH WAZUH
Wazuh monitors file activity on endpoints, utilizing its File Integrity
Monitoring (FIM) capability, integrations with threat intelligence, and
predefined rules, to detect unusual patterns indicating potential malware
attacks. An alert is triggered upon identifying changes on files that match the
known malware behavior. The Wazuh active response module then initiates a script
to remove the malicious files to ensure they cannot execute or cause further
harm.
All actions are logged, and detailed notifications are generated for security
personnel. These logs include information about the detected anomaly and the
response actions executed, showing the status of the affected endpoint. Security
teams can then use the detailed logs and data from Wazuh to investigate the
attack and implement additional remediation measures.
The image below shows Wazuh detecting malicious software with VirusTotal, and
Wazuh active response removing the detected malware.
POLICY ENFORCEMENT
Account lockout is a security measure that defends against brute force attacks
by limiting the number of login attempts a user can make within a specified
time. Organizations can use Wazuh to enforce security policies automatically,
such as disabling a user account after multiple failed password attempts.
Wazuh uses disable-account, an out-of-the-box active response script, to disable
an account with three failed authentication attempts. In this use case, the user
is blocked for five minutes:
<ossec_config> <active-response> <command>disable-account</command> <location>local</location> <rules_id>120100</rules_id> <timeout>300</timeout> </active-response>
</ossec_config>
<command>: Specifies the disable-account active response script to be executed.
<location>: Specifies where the active response configured will be executed,
which is local meaning on the monitored endpoints.
<rules_id>: Specifies the rule ID, the condition for executing active response
command.
<timeout>: Specifies how long the active response action must last. In this
case, the account will remain disabled for 300 seconds. After that period, the
active response reverts its action and re-enables the account.
In the image below, the Wazuh active response module disables a user account on
a Linux endpoint and automatically re-enables it after 5 minutes.
CUSTOMIZABLE SECURITY ACTIONS
Wazuh also provides flexibility by allowing users to develop custom active
response scripts in any programming language, enabling them to tailor responses
to their organization's unique requirements. For instance, a Python script could
be designed to quarantine an endpoint by modifying its firewall settings.
INTEGRATION WITH THIRD-PARTY INCIDENT RESPONSE TOOLS
Wazuh integrates with various third-party incident response tools, enhancing its
capabilities and providing a more extensive security solution. This integration
allows organizations to leverage existing investments in security infrastructure
while benefiting from Wazuh capabilities.
For example, integrating Wazuh with Shuffle, a security orchestration,
automation, and response (SOAR) platform, enables the creation of sophisticated
automated workflows that streamline incident response processes.
Similarly, enhancing incident response with Wazuh and DFIR-IRIS integration
provides an insightful combination of digital forensics and incident response
(DFIR). DFIR-IRIS is a versatile incident response framework that, when
integrated with Wazuh, offers extended incident investigation and mitigation
capabilities.
These integrations can facilitate:
* Automated ticket creation in IT service management (ITSM) systems.
* Orchestrated threat intelligence lookups to enrich alert data.
* Coordinated response actions across multiple security tools.
* Customized reporting and notification workflows.
An instance is when a phishing email containing a malicious link is detected by
Wazuh, an incident ticket is automatically created in the ITSM system, assigning
it to the relevant team for immediate attention. Simultaneously, Wazuh queries a
threat intelligence platform to enrich the alert data with additional context
about the malicious link, such as its origin and associated threats. The
security orchestration tool automatically isolates the affected endpoint and
blocks the malicious IP across all network devices. Customized reports and
notifications are generated and sent to relevant parties, ensuring they are
informed about the incident and the actions taken.
By leveraging these integrations, security teams can quickly and effectively
respond to the phishing attack, minimizing potential damage and preventing
further spread. This enhances incident response readiness through streamlined
and automated processes facilitated by integrating third-party tools with Wazuh.
CONCLUSION
Enhancing incident response readiness is essential for minimizing the impact of
cyberattacks. Wazuh provides a comprehensive solution to help your organization
achieve this with its real-time visibility, automated response capabilities, and
ability to integrate with third-party tools.
By leveraging Wazuh, security teams can manage incidents, reduce response times,
and ensure a robust security posture. Learn more about Wazuh by checking out our
documentation and joining our community of professionals.
Found this article interesting? This article is a contributed piece from one of
our valued partners. Follow us on Twitter and LinkedIn to read more exclusive
content we post.
from The Hacker News https://ift.tt/T7ELrA9
via IFTTT
Posted by Pigram86 at 6:35 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
NEW LIANSPY SPYWARE TARGETS ANDROID SMARTPHONES | KASPERSKY OFFICIAL BLOG
Spyware is a dangerous tool that can be used to selectively monitor specific
victims. Often the victims are employees in a single company, or residents in a
single country. The new mobile spyware, which we discovered and dubbed LianSpy,
targets — for now — users of Android smartphones in Russia, but the
unconventional approaches it employs could potentially be applied in other
regions as well. How it works and how to guard against this new threat is the
topic of this post.
WHAT IS LIANSPY?
We discovered LianSpy in March 2024. However, our data indicates it’s been
active for at least three years — dating back to July 2021! How did LianSpy
remain in the shadows for so long? The attackers meticulously cover their
tracks. Upon launch, the malware hides its icon on the home screen and operates
in the background using root privileges. This allows it to bypass Android status
bar notifications, which would typically alert the victim that the smartphone is
actively using the camera or microphone.
LianSpy disguises itself as system applications and financial services.
Interestingly, the attackers aren’t interested in the victims’ banking data.
This spyware silently and discreetly monitors user activity by intercepting call
logs, sending a list of installed applications to the attackers’ server, and
recording the smartphone’s screen — mainly during messenger activity.
HOW DOES LIANSPY WORK?
Unlike other spyware that exploits zero-click vulnerabilities, LianSpy requires
some actions on the part of the victim. Upon launching, the malware checks if it
has the necessary permissions to read contacts and call-logs, and use overlays.
If not, it requests them. That done, it registers an Android Broadcast Receiver
to get information about system events, enabling it to start or stop various
malicious tasks.
LianSpy uses root privileges in a rather unconventional way. Typically, they’re
used to gain complete control over the device. However, in the case of LianSpy,
the attackers make use of only a small part of the functionality available to
superusers. Interestingly, root privileges are used so as to prevent their
detection by security solutions.
LianSpy is a post-exploitation Trojan, meaning that the attackers either
exploited vulnerabilities to root Android devices, or modified the firmware by
gaining physical access to victims’ devices. It remains unclear which
vulnerability the attackers might have exploited in the former scenario.
Another feature of LianSpy is its combined use of symmetric (one key for both
encrypting and decrypting information) and asymmetric (separate public and
private keys) encryption. Before being stolen, the data is encrypted with a
symmetric algorithm, the key for which is encrypted asymmetrically. Only the
attacker possesses the private key. For more details about LianSpy
functionality, see our Securelist post.
WHO’S BEHIND LIANSPY?
Good question. The attackers only utilize public services, not private
infrastructure, which makes it difficult to definitively determine which hacker
group is behind these attacks on Android smartphone users in Russia. The
paymaster’s identity is also not known, but, as global practice shows, such
sophisticated cyberespionage campaigns are often instigated by groups affiliated
with a nation-state actor.
HOW TO GUARD AGAINST SPYWARE SURVEILLANCE?
* Download apps only from official stores and catalogs, but keep in mind that
spyware can infiltrate even those.
* Update your operating system regularly — not all malware can adapt to new
security features.
* Use well-known apps from trusted developers. Avoid alternative clients for
instant messengers and other services, as they may contain malicious code
(read more about spyware mods for WhatsApp, Telegram and Signal).
* Use Kaspersky: Antivirus & VPN to detect spyware such as LianSpy in a timely
manner.
* If you still don’t have reliable protection, use TinyCheck, a spyware
detection tool.
* Only grant applications the permissions they need to function.
from Kaspersky official blog https://ift.tt/1dKFBbR
via IFTTT
Posted by Pigram86 at 5:50 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
CRITICAL FLAW IN ROCKWELL AUTOMATION DEVICES ALLOWS UNAUTHORIZED ACCESS
Aug 05, 2024Ravie LakshmananNetwork Security / Vulnerability
A high-severity security bypass vulnerability has been disclosed in Rockwell
Automation ControlLogix 1756 devices that could be exploited to execute common
industrial protocol (CIP) programming and configuration commands.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS
v3.1 score of 8.4.
"A vulnerability exists in the affected products that allows a threat actor to
bypass the Trusted Slot feature in a ControlLogix controller," the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
"If exploited on any affected module in a 1756 chassis, a threat actor could
potentially execute CIP commands that modify user projects and/or device
configuration on a Logix controller in the chassis."
Operational technology security company Claroty, which discovered and reported
the vulnerability, said it developed a technique that made it possible to bypass
the trusted slot feature and send malicious commands to the programming logic
controller (PLC) CPU.
The trusted slot feature "enforces security policies and allows the controller
to deny communication via untrusted paths on the local chassis," security
researcher Sharon Brizinov said.
"The vulnerability we found, before it was fixed, allowed an attacker to jump
between local backplane slots within a 1756 chassis using CIP routing,
traversing the security boundary meant to protect the CPU from untrusted cards."
While a successful exploit requires network access to the device, an attacker
could take advantage of the flaw to send elevated commands, including
downloading arbitrary logic to the PLC CPU, even if the attacker is located
behind an untrusted network card.
Following responsible disclosure, the shortcoming has been addressed in the
following versions -
* ControlLogix 5580 (1756-L8z) - Update to versions V32.016, V33.015, V34.014,
V35.011, and later.
* GuardLogix 5580 (1756-L8zS) - Update to versions V32.016, V33.015, V34.014,
V35.011 and later.
* 1756-EN4TR - Update to versions V5.001 and later.
* 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR
Series B, and 1756-EN2TP Series A - Update to version V12.001 and later
"This vulnerability had the potential to expose critical control systems to
unauthorized access over the CIP protocol that originated from untrusted chassis
slots," Brizinov said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/1pEe7oz
via IFTTT
Posted by Pigram86 at 2:20 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
NEW ANDROID TROJAN "BLANKBOT" TARGETS TURKISH USERS' FINANCIAL DATA
Aug 05, 2024Ravie LakshmananMobile Security / Financial Security
Cybersecurity researchers have discovered a new Android banking trojan called
BlankBot targeting Turkish users with an aim to steal financial information.
"BlankBot features a range of malicious capabilities, which include customer
injections, keylogging, screen recording and it communicates with a control
server over a WebSocket connection," Intel 471 said in an analysis published
last week.
Discovered on July 24, 2024, BlankBot is said to be undergoing active
development, with the malware abusing Android's accessibility services
permissions to obtain full control over the infected devices.
The names of some of the malicious APK files containing BlankBot are listed
below -
* app-release.apk (com.abcdefg.w568b)
* app-release.apk (com.abcdef.w568b)
* app-release-signed (14).apk (com.whatsapp.chma14)
* app.apk (com.whatsapp.chma14p)
* app.apk (com.whatsapp.w568bp)
* showcuu.apk (com.whatsapp.w568b)
Like the recently resurfaced Mandrake Android trojan, BlankBot implements a
session-based package installer to circumvent the restricted settings feature
introduced in Android 13 to block sideloaded applications from directly
requesting dangerous permissions.
"The bot asks the victim to allow installing applications from the third-party
sources, then it retrieves the Android package kit (APK) file stored inside the
application assets directory with no encryption and proceeds with the package
installation process," Intel 471 said.
The malware comes with a wide range of features to perform screen recording,
keylogging, and inject overlays based on specific commands received from a
remote server to harvest bank account credentials, payment data, and even the
pattern used to unlock the device.
BlankBot is also capable of intercepting SMS messages, uninstalling arbitrary
applications, and gathering data such as contact lists and installed apps. It
further makes use of the accessibility services API to prevent the user from
accessing device settings or launching antivirus apps.
"BlankBot is a new Android banking trojan still under development, as evidenced
by the multiple code variants observed in different applications," the
cybersecurity company said. "Regardless, the malware can perform malicious
actions once it infects an Android device."
The disclosure comes as Google outlined the various steps it's taking to combat
threat actors' use of cell-site simulators like Stingrays to inject SMS messages
directly into Android phones, a fraud technique referred to as SMS Blaster
fraud.
"This method to inject messages entirely bypasses the carrier network, thus
bypassing all the sophisticated network-based anti-spam and anti-fraud filters,"
Google said. "SMS Blasters expose a fake LTE or 5G network which executes a
single function: downgrading the user's connection to a legacy 2G protocol."
The mitigation measures include a user option to disable 2G at the modem level
and turn off null ciphers, the latter of which is an essential configuration for
a False Base Station in order to inject an SMS payload.
Earlier this May, Google also said it's stepping up cellular security by
alerting users if their cellular network connection is unencrypted and if
criminals are using cell-site simulators to snoop on users or send them
SMS-based fraud messages.
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/SLHv0pQ
via IFTTT
Posted by Pigram86 at 1:25 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
CHINA-LINKED HACKERS COMPROMISE ISP TO DEPLOY MALICIOUS SOFTWARE UPDATES
Aug 05, 2024Ravie LakshmananBrowser Security / Windows Security
The China-linked threat actor known as Evasive Panda compromised an unnamed
internet service provider (ISP) to push malicious software updates to target
companies in mid-2023, highlighting a new level of sophistication associated
with the group.
Evasive Panda, also known by the names Bronze Highland, Daggerfly, and
StormBamboo, is a cyber espionage group that's been active since at least 2012,
leveraging backdoors such as MgBot (aka POCOSTICK) and Nightdoor (aka NetMM and
Suzafk) to harvest sensitive information.
More recently, the threat actor was formally attributed to the use of a macOS
malware strain called MACMA, which has been observed in the wild as far back as
2021.
"StormBamboo is a highly skilled and aggressive threat actor who compromises
third-parties (in this case, an ISP) to breach intended targets," Volexity said
in a report published last week.
"The variety of malware employed in various campaigns by this threat actor
indicates significant effort is invested, with actively supported payloads for
not only macOS and Windows, but also network appliances."
Public reporting from ESET and Symantec over the past two years have documented
Evasive Panda's use of MgBot and its track record of orchestrating watering hole
and supply chain attacks targeting Tibetan users.
It was also found to have targeted an international non-governmental
organization (NGO) in Mainland China with MgBot delivered via update channels of
legitimate applications like Tencent QQ.
While it was speculated that the trojanized updates were either the result of a
supply chain compromise of Tencent QQ's update servers or a case of an
adversary-in-the-middle (AitM) attack, Volexity's analysis confirms it's the
latter stemming from a DNS poisoning attack at the ISP level.
Specifically, the threat actor is said to be altering DNS query responses for
specific domains tied to automatic software update mechanisms, going after
software that used insecure update mechanisms, such as HTTP, or did not enforce
adequate integrity checks of the installers.
"It was discovered that StormBamboo poisoned DNS requests to deploy malware via
an HTTP automatic update mechanism and poison responses for legitimate hostnames
that were used as second-stage, command-and-control (C2) servers," researchers
Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster said.
The attack chains are fairly straightforward in that the insecure update
mechanisms are abused to deliver either MgBot or MACMA depending on the
operating system used. Volexity said it notified the concerned ISP to remediate
the DNS poisoning attack.
One instance also entailed the deployment of a Google Chrome extension on the
victim's macOS device by modifying the Secure Preferences file. The browser
add-on purports to be a tool that loads a page in compatibility mode with
Internet Explorer, but its main objective is to exfiltrate browser cookies to a
Google Drive account controlled by the adversary.
"The attacker can intercept DNS requests and poison them with malicious IP
addresses, and then use this technique to abuse automatic update mechanisms that
use HTTP rather than HTTPS," the researchers said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/RSGMqJA
via IFTTT
Posted by Pigram86 at 1:25 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
SUNDAY, AUGUST 4, 2024
TECHNOLOGY AND POLITICS COLLIDE
For many years, Silicon Valley was considered to be somewhat apolitical. But the
last decade has changed the relationship with governments. What’s causing the
changes?
SHOW: 844
SHOW TRANSCRIPT: The Cloudcast #844 Transcript
SHOW VIDEO: https://youtube.com/@TheCloudcastNET
CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotw
CHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"
SHOW SPONSOR:
SHOW NOTES:
* It’s Silicon Valley vs. Silicon Valley (NY Times)
* VCs for Kamala
* The Little Tech Agenda: Why We Support Trump (a16z)
* BG2 Podcast - Silicon Valley’s Political 180
SHOW NOTES:
TECHNOLOGY IS A CRITICAL DRIVER OF ECONOMIC GROWTH
* VCs are becoming more visible and vocal in their political agendas
* Billionaires have the wealth, power and influence of nation states
* European and APAC tech policy are more defined than US
DOES GROWTH ALLOW YOU TO AVOID RESPONSIBILITY OR ACCOUNTABILITY?
* Has there been an “unwritten” agreement between WashDC and Silicon Valley?
* Crypto is not just another technology
* Issues: Antitrust, Taxes, Future of AI, etc.
FEEDBACK?
* Email: show at the cloudcast dot net
* Twitter: @cloudcastpod
* Instagram: @cloudcastpod
* TikTok: @cloudcastpod
from The Cloudcast (.NET) https://ift.tt/2VBmUTG
via IFTTT
Posted by Pigram86 at 1:15 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
SATURDAY, AUGUST 3, 2024
DOJ AND FTC SUE TIKTOK FOR VIOLATING CHILDREN'S PRIVACY LAWS
Aug 03, 2024Ravie LakshmananPrivacy / Data Protection
The U.S. Department of Justice (DoJ), along with the Federal Trade Commission
(FTC), filed a lawsuit against popular video-sharing platform TikTok for
"flagrantly violating" children's privacy laws in the country.
The agencies claimed the company knowingly permitted children to create TikTok
accounts and to view and share short-form videos and messages with adults and
others on the service.
They also accused it of illegally collecting and retaining a wide variety of
personal information from these children without notifying or obtaining consent
from their parents, in contravention of the Children's Online Privacy Protection
Act (COPPA).
TikTok's practices also infringed a 2019 consent order between the company and
the government in which it pledged to notify parents before collecting
children's data and remove videos from users under 13 years old, they added.
COPPA requires online platforms to gather, use, or disclose personal information
from children under the age of 13, unless they have obtained consent from their
parents. It also mandates companies to delete all the collected information at
the parents' request.
"Even for accounts that were created in 'Kids Mode' (a pared-back version of
TikTok intended for children under 13), the defendants unlawfully collected and
retained children's email addresses and other types of personal information,"
the DoJ said.
"Further, when parents discovered their children's accounts and asked the
defendants to delete the accounts and information in them, the defendants
frequently failed to honor those requests."
The complaint further alleged the ByteDance-owned company subjected millions of
children under 13 to extensive data collection that enabled targeted advertising
and allowed them to interact with adults and access adult content.
It also faulted TikTok for not exercising adequate due diligence during the
account creation process by building backdoors that made it possible for
children to bypass the age gate aimed at screening those under 13 by letting
them sign in using third-party services like Google and Instagram and
classifying such accounts as "age unknown" accounts.
"TikTok human reviewers allegedly spent an average of only five to seven seconds
reviewing each account to make their determination of whether the account
belonged to a child," the FTC said, adding it will take steps to protect
children's privacy from firms that deploy "sophisticated digital tools to
surveil kids and profit from their data."
TikTok has more than 170 million active users in the U.S. While the company has
disputed the allegations, it's the latest setback for the video platform, which
is already the subject of a law that would force a sale or a ban of the app by
early 2025 because of national security concerns. It has filed a petition in
federal court seeking to overturn the ban.
"We disagree with these allegations, many of which relate to past events and
practices that are factually inaccurate or have been addressed," TikTok said.
"We offer age-appropriate experiences with stringent safeguards, proactively
remove suspected underage users, and have voluntarily launched features such as
default screen time limits, Family Pairing, and additional privacy protections
for minors."
The social media platform has also faced scrutiny globally over child
protection. European Union regulators handed TikTok a €345 million fine in
September 2023 for violating data protection laws in relation to its handling of
children's data. In April 2023, it was fined £12.7 million by the ICO for
illegally processing the data of 1.4 million children under 13 who were using
its platform without parental consent.
The lawsuit comes as the U.K. Information Commissioner's Office (ICO) revealed
it asked 11 media and video-sharing platforms to improve their children's
privacy practices or risk facing enforcement action. The names of the offending
services were not disclosed.
"Eleven out of the 34 platforms are being asked about issues relating to default
privacy settings, geolocation or age assurance, and to explain how their
approach conforms with the [Children's Code]," it said. "We are also speaking to
some of the platforms about targeted advertising to set out expectations for
changes to ensure practices are in line with both the law and the code."
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/gQAWxKl
via IFTTT
Posted by Pigram86 at 6:20 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
FRIDAY, AUGUST 2, 2024
WEBINAR: DISCOVER THE ALL-IN-ONE CYBERSECURITY SOLUTION FOR SMBS
Aug 02, 2024The Hacker News
In today's digital battlefield, small and medium businesses (SMBs) face the same
cyber threats as large corporations, but with fewer resources. Managed service
providers (MSPs) are struggling to keep up with the demand for protection.
If your current cybersecurity strategy feels like a house of cards – a complex,
costly mess of different vendors and tools – it's time for a change.
Imagine having all the protection you need in one place, with one easy-to-use
interface. That's the power of an All-in-One platform.
Join our upcoming webinar to learn how MSPs and SMBs are using these platforms
to:
* Simplify: Reduce costs and complexity by consolidating your security tools.
* Accelerate: Speed up threat response and focus on growing your business.
* Scale: Expand your cybersecurity capabilities without breaking the bank.
Cynet experts will demonstrate how their All-in-One platform combines a full
suite of security features with 24/7 support.
Who Should Attend:
* Small and Medium Businesses: Get enterprise-level protection at an affordable
price.
* Managed Service Providers: Unlock new revenue streams with comprehensive
cybersecurity services.
Don't miss this opportunity to improve your cybersecurity ROI. Register now to
secure your spot!
Found this article interesting? This article is a contributed piece from one of
our valued partners. Follow us on Twitter and LinkedIn to read more exclusive
content we post.
from The Hacker News https://ift.tt/jwdE3Y2
via IFTTT
Posted by Pigram86 at 8:15 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
大規模ブルースクリーン障害の影響を最小限に、そして最速で復旧する切り札がVDI。古くて新しいVDIの価値を改めて考えてみた
2024年7月19日に発生したWindowsブルースクリーン障害(BSoD)の余波が完全には収束していません。全世界で同時に発生し約850万台のWindows
PCに影響を及ぼしたのみならず、Windowsベースの商用システムにも波及し、フライト運行システムが停止して空港で足止めされるニュース映像がテレビに流れるなど、社会的にも大きな問題として捉えられています。
私を含め当社では影響なく、当日も普段どおりにPCを使って業務をしており、世間の”ブルスク祭り”を早い復旧を祈りながら見守っていました。報道に触れてCitrixの影響範囲を整理し、改めて仮想アプリケーション、仮想デスクトップ(今回はまとめてVDIと総称)の有効性を考えてみました。
当社ではなぜ影響を回避できたのか?
CrowdStrikeのアップデートが原因とされ、Windows
OSが異常を検知したことでPCの通常操作ができなくなった訳ですが、当社ではCrowdStrikeを使っておらず障害は発生しませんでした。仮に発生したとしても、障害が発生していない別のデバイスからVDIに接続すれば、通常の自分用Windowsデスクトップが利用できます。パニックに陥る必要はありません。管理者側で復旧対応が可能です。
今回のBSoDは不幸な障害ですが、これもビジネス継続性計画(BCP)で想定される範囲の事象といえるでしょう。VDIはBCPに効くのです。
VDIの仕組みとアドバンテージ
物理PCではOS、ユーザープロファイル、アプリケーション、データが同じPCという環境にあり、相互に連携して業務処理を行います。下図で示す利用環境と実行環境が同じ(=
PC)です。
VDIではOS,
プロファイル、アプリケーション、データを物理PCから分離し、クラウドまたはデータセンターで動的に構成します。仮想デスクトップあるいは仮想PCと呼ばれる環境がクラウド/データセンターに用意される(=
クラウドまたはデータセンターでPCが起動する)と、その画面イメージを利用環境へ転送します。
ユーザーは手元にある任意のデバイス画面で転送された画面イメージを表示し、キーボード、マウス、トラックパッドを使い、通常のPCと同じように操作します。
実行環境での各構成要素をいかに効率よく必要数を構成するか、画面イメージ転送のパフォーマンスをいかに高めるかが、シトリックスのノウハウでありアドバンテージです。
いつでもどこにいてもPC環境につながり業務を遂行できること、セキュリティを含めたPC端末のメンテナンスの大部分がセンター側に集約されることで、ユーザー生産性とIT管理性が両立します。
先日聞いたお客様の言葉、「6万台あまりのPCメンテナンスが本当にラク。セキュリティチームはVDIが最強と言っている」はリアリティがあります。VDIならブルースクリーン障害(BSoD)は回避できたか?
Windows
Server上でさまざまな仕組みを展開することから、CrowdStrikeも利用する環境であれば今回の障害の影響を受けた可能性がありますが、Citrix
Cloudのサービスには影響ありません。
Cirix DaaSのお客様でWorkspaceやGateway Serviceを経由して利用するお客様は、自社内のインフラ(Active Directory,
Cloud Connectorなど)を確認してください。
一方、オンプレミスでお客様自身(インテグレータ等に委託することを含む)が管理・運用する場合は、以下のコンポーネントを順番に確認してください。
Cloud Connector
StoreFrontワークロードとWorkspaceワークロードの両方で、ユーザーログインやリソース提示に問題が発生する可能性があります。
Delivery Controller
ユーザーログインやリソース提示に問題が発生する可能性があります。
VDA
アプリケーションやデスクトップを起動できない可能性があります。
StoreFront
ユーザーはStoreFrontのURLにアクセスできず、目的のアプリケーションやデスクトップを選択できない可能性があります。
Federated Authentication Services
VDAへログインできない可能性があります。
Director
管理者は実行中のセッションへのアクション実行やレポート表示ができない可能性があります(監視データはSQLに記録されます)。
SQL Server
他のコンポーネントが機能していれば、LHCモードに(サイト接続仲介操作を継続できるように)切り替わる可能性があります。
License Server
他のコンポーネントが機能していれば、ライセンスキャッシュモードに(ライセンス払い出しをキャッシュによって暫定的に維持)切り替わる可能性があります。
永続VDA
ユーザー用設定済みWindows環境を固定して使う場合、信頼できるバックアップからリストアするか、CrowdStrike推奨の修正を適用してください。
非永続VDA
自動アップデートしないので、障害は発生していません。もし発生した場合は、VDAを再起動するとゴールデンイメージにリセットされます。
App Layering
このアプリケーション配信アプライアンスはWindowsベースでなく、障害は発生しません。App Layeringの配信イメージは非永続マシンとして扱われます。
ユーザー利用端末
Windows端末であれば、CrowdStrike推奨の修正を適用してください。Mac, Linux, Chromebook,
シンクライアント、スマートフォンなどWindows以外の端末は影響を受けません。
上記を確認することで、障害が発生しても影響を最小限に留め早く復旧することができます。
プロビジョニングサービス(PVS)が面目躍如
VMイメージを、ネットブートの仕組みをベースに、大量に高速に展開するツールがPVS。新規展開はもちろん、不具合発生のVMをロールバックする、あるいは改修済みの新たなイメージを一斉展開する際に威力を発揮します。
以下はPVSを使って2240個のVMをAzure East USに展開した際の実測値です。
8分以内に、2240個のうち99.96%の展開が完了!
(Standard D4as v4インスタンス x 2240個)
今、VDIは買いか?
今もVDIは「買い」です。
ITの世界でもトレンドは数年周期でいったりきたり。サーバー集約が進んだ後には分散が、クラウド化も進むけどオンプレミス回帰も見られる。
VDIは過去のテクノロジートレンドだと思っている方、トレンドと捉えるのではなく、その本質を理解し自社のIT目的に必要かどうかを判断してください。
CitrixのVDIの本質は、
高いセキュリティ
高い柔軟性
高い生産性
適切なROI
です。
同時に、普段は前面に出ないBCP対策にも、その役割を果たしてくれます。
古くて新しいテクノジー、CitrixをプラットフォームにVDIを全社員のワークスペースに!
(このブログは2024年7月22日に執筆されました)
from Citrix Blogs https://ift.tt/6mtcCQ7
via IFTTT
Posted by Pigram86 at 8:10 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
NEW WINDOWS BACKDOOR BITSLOTH EXPLOITS BITS FOR STEALTHY COMMUNICATION
Aug 02, 2024Ravie LakshmananCyber Attack / Windows Security
Cybersecurity researchers have discovered a previously undocumented Windows
backdoor that leverages a built-in feature called Background Intelligent
Transfer Service (BITS) as a command-and-control (C2) mechanism.
The newly identified malware strain has been codenamed BITSLOTH by Elastic
Security Labs, which made the discovery on June 25, 2024, in connection with a
cyber attack targeting an unspecified Foreign Ministry of a South American
government. The activity cluster is being tracked under the moniker REF8747.
"The most current iteration of the backdoor at the time of this publication has
35 handler functions including keylogging and screen capture capabilities,"
security researchers Seth Goodwin and Daniel Stepanic said. "In addition,
BITSLOTH contains many different features for discovery, enumeration, and
command-line execution."
It's assessed that the tool – in development since December 2021 – is being used
by the threat actors for data gathering purposes. It's currently not clear who
is behind it, although a source code analysis has uncovered logging functions
and strings that suggest the authors could be Chinese speakers.
Another potential link to China comes from the use of an open-source tool called
RingQ. RingQ is used to encrypt the malware and prevent detection by security
software, which is then decrypted and executed directly in memory.
In June 2024, the AhnLab Security Intelligence Center's (ASEC) revealed that
vulnerable web servers are being exploited to drop web shells, which are then
leveraged to deliver additional payloads, including a cryptocurrency miner via
RingQ. The attacks were attributed to a Chinese-speaking threat actor.
The attack is also notable for the use of STOWAWAY to proxy encrypted C2 traffic
over HTTP and a port forwarding utility called iox, the latter of which has been
previously leveraged by a Chinese cyber espionage group dubbed Bronze Starlight
(aka Emperor Dragonfly) in Cheerscrypt ransomware attacks.
BITSLOTH, which takes the form of a DLL file ("flengine.dll"), is loaded by
means of DLL side-loading techniques by using a legitimate executable associated
with Image-Line known as FL Studio ("fl.exe").
"In the latest version, a new scheduling component was added by the developer to
control specific times when BITSLOTH should operate in a victim environment,"
the researchers said. "This is a feature we have observed in other modern
malware families such as EAGERBEE."
A fully-featured backdoor, BITSLOTH is capable of running and executing
commands, uploading and downloading files, performing enumeration and discovery,
and harvesting sensitive data through keylogging and screen capturing.
It can also set the communication mode to either HTTP or HTTPS, remove or
reconfigure persistence, terminate arbitrary processes, log users off from the
machine, restart or shutdown the system, and even update or delete itself from
the host. A defining aspect of the malware is its use of BITS for C2.
"This medium is appealing to adversaries because many organizations still
struggle to monitor BITS network traffic and detect unusual BITS jobs," the
researchers added.
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/Cz2QwDa
via IFTTT
Posted by Pigram86 at 7:06 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
FIGHTING URSA LURING TARGETS WITH CAR FOR SALE
This post is also available in: 日本語 (Japanese)
EXECUTIVE SUMMARY
A Russian threat actor we track as Fighting Ursa advertised a car for sale as a
lure to distribute HeadLace backdoor malware. The campaign likely targeted
diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear
and Sofacy) has been associated with Russian military intelligence and
classified as an advanced persistent threat (APT) [PDF].
Diplomatic-car-for-sale phishing lure themes have been used by Russian threat
actors for years. These lures tend to resonate with diplomats and get targets to
click on the malicious content.
Unit 42 has previously observed other threat groups using this tactic. For
example, in 2023, a different Russian threat group, Cloaked Ursa, repurposed an
advertisement for a BMW for sale to target diplomatic missions within Ukraine.
This campaign is not directly connected to the Fighting Ursa campaign described
here. However, the similarity in tactics points to known behaviors of Fighting
Ursa. The Fighting Ursa group is known for repurposing successful tactics – even
continuously exploiting known vulnerabilities for 20 months after their cover
was already blown.
The details of the March 2024 campaign, which we attribute to Fighting Ursa with
a medium to high level of confidence, indicate the group targeted diplomats and
relied on public and free services to host various stages of the attack. This
article examines the infection chain from the attack.
Palo Alto Networks customers are better protected from the threats discussed in
this article through our Network Security solutions, such as Advanced WildFire
and Advanced URL Filtering, as well as our Cortex line of products.
If you think you might have been compromised or have an urgent matter, contact
the Unit 42 Incident Response team.
Related Unit 42 Topics APTs, Fighting Ursa
INITIAL LURE
The URL kicking off this infection chain was hosted by a legitimate service
named Webhook.site, and it was submitted to VirusTotal on March 14, 2024.
Webhook.site is a service for legitimate development projects, and it allows its
users to create randomized URLs for various purposes like custom automation
based on the characteristics of visitors to the URLs.
In this case, Fighting Ursa abused Webhook.site to craft a URL that returned a
malicious HTML page. Figure 1 below shows the HTML returned from the
webhook[.]site URL.
Figure 1. HTML code used in the attack hosted on the Webhook.site service.
The HTML shown above in Figure 1 has multiple elements that attempt to automate
the attack. First, it checks if the visiting computer is Windows-based. If not,
it redirects to a decoy image on a URL hosted by another legitimate provider,
which is a free service named ImgBB. As the final payload is Windows based, this
operating system check is probably an effort to ensure that further actions
taken in the attack are only taken for Windows visitors. The HTML then creates a
ZIP archive from Base64 text in the HTML, offers it for download and attempts to
open it with the JavaScript click() function.
Figure 2 below shows the decoy image advertising a car for sale, specifically an
Audi Q7 Quattro SUV. This fake advertisement is titled “Diplomatic Car For
Sale.”
The image provides different views of the vehicle. The image also contains
contact details that are likely fake, as well as a phone number based in
Romania. Finally, the image also lists the point of contact as the Southeast
European Law Enforcement Center, possibly to lend this fake advertisement more
credibility.
Figure 2. Diplomatic car for sale lure hosted on ImgBB.
DOWNLOADED MALWARE
The downloaded ZIP archive is saved as IMG-387470302099.zip and contains three
files listed below in Table 1.
File Size Modified Date and Time File Name 918,528 bytes 2009-07-13 18:38 UTC
IMG-387470302099.jpg.exe 9,728 bytes 2024-03-13 00:37 UTC WindowsCodecs.dll 922
bytes 2024-03-13 00:37 UTC zqtxmo.bat
Table 1. Contents of the downloaded file IMG-387470302099.zip.
Table 1 above shows that the first file IMG-387470302099.jpg.exe has a double
file extension of .jpg.exe. Windows hosts with a default configuration hide file
extensions, so the .jpg.exe file extension only shows as .jpg in the file name.
This is a common tactic used by threat actors to trick potential victims into
double-clicking the file, in this case believing it will open a car for sale
advertisement.
The file named IMG-387470302099.jpg.exe is a copy of the legitimate Windows
calculator file calc.exe. This file is used to sideload the included DLL file
WindowsCodecs.dll, which is a component of the HeadLace backdoor.
HeadLace is modular malware that executes in stages. This stage-based loading is
probably designed to prevent detection and minimize the malware's exposure to
analysts. The DLL file contains a function shown below in Figure 3.
Figure 3. Code in WindowsCodecs.dll file to run a file named zqtxmo.bat.
This function is solely meant to execute the last file within the ZIP archive,
zqtxmo.bat. Figure 4 below shows the content of zqtxmo.bat.
Figure 4. Contents of the zqtxmo.bat batch file.
This batch file starts a process for Microsoft Edge (start msedge) to run
content passed as Base64-encoded text. As shown above in Figure 4, the decoded
text is a hidden iframe that retrieves content from a different Webhook.site
URL.
The batch file saves content from this second Webhook.site URL as
IMG387470302099.jpg in the user's downloads directory. It then moves the
downloaded file into the %programdata% directory and changes the file extension
from .jpg to .cmd. Finally, the batch file executes IMG387470302099.cmd, then
deletes itself as a way to remove any obvious trace of malicious activity.
ATTRIBUTION
We attribute this activity with a medium to high level of confidence to Fighting
Ursa based on the tactics, techniques and procedures (TTPs), characteristics of
the attack infrastructure and the malware family attackers used.
This attack relies heavily on public and free services to host lures and various
stages of the attack. Documentation by IBM, Proofpoint, Recorded Future and
others reveal that while the infrastructure used by Fighting Ursa varies for
different attack campaigns, the group frequently relies on these freely
available services. Furthermore, the tactics from this campaign fit with
previously documented Fighting Ursa campaigns, and the HeadLace backdoor is
exclusive to this threat actor.
CONCLUSION
Fighting Ursa is a motivated threat actor. The infrastructure the group uses has
constantly changed and evolved, as noted in a recent report from Recorded
Future. Other industry reports have also shown various lures this actor uses in
attempts to drop HeadLace malware.
We assess that Fighting Ursa will continue to use legitimate web services in its
attack infrastructure. To defend against these attacks, defenders should limit
access to these or similar hosting services as necessary. If possible,
organizations should scrutinize the use of these free services to identify
possible attack vectors.
PALO ALTO NETWORKS PROTECTION AND MITIGATION
Palo Alto Networks customers are better protected from the threats discussed
above through the following products:
* Cortex XDR detects the attack chain described above, among other protections
in the Cortex XDR platform.
* Advanced URL Filtering identifies known URLs associated with this activity as
malicious.
* The Advanced WildFire machine-learning models and analysis techniques have
been reviewed and updated in light of the IoCs shared in this research.
If you think you may have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:
* North America Toll-Free: 866.486.4842 (866.4.UNIT42)
* EMEA: +31.20.299.3130
* APAC: +65.6983.8730
* Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.
INDICATORS OF COMPROMISE
HTML page hosted on webhook site with decoy image and payload zip file:
* cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
Car for sale image lure:
* 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb
ZIP file containing calc.exe, malicious DLL and BAT file:
* dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
Legitimate calc.exe abused to sideload the malicious DLL:
* c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
Malicious file named WindowsCodecs.dll sideloaded by calc.exe:
* 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
Batch file named zqtxmo.bat executed by the above malicious DLL:
* a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7
URLs that hosted content for this campaign:
* hxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
* hxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd
* hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg
ADDITIONAL RESOURCES
* GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage
Campaigns [PDF] – Recorded Future
* ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace
malware – IBM
* TA422’s Dedicated Exploitation Loop—the Same Week After Week – Proofpoint
from Unit 42 https://ift.tt/FaEq1sV
via IFTTT
Posted by Pigram86 at 6:50 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
U.S. RELEASES HIGH-PROFILE RUSSIAN HACKERS IN DIPLOMATIC PRISONER EXCHANGE
Aug 02, 2024Ravie LakshmananCyber Crime / Hacking News
In a historic prisoner exchange between Belarus, Germany, Norway, Russia,
Slovenia, and the U.S., two Russian nationals serving time for cybercrime
activities have been freed and repatriated to their country.
This includes Roman Valerevich Seleznev and Vladislav Klyushin, who are part of
a group of eight people who have been swapped back to Russia in exchange for the
release of 16 people who were held in detention, including four Americans, five
Germans and seven Russians citizens who were held as political prisoners.
U.S. President Joe Biden called the deal a "feat of diplomacy," adding "some of
these women and men have been unjustly held for years." Other nations that
played a role in the swap include Poland and Turkey.
Among those released from Russia are former U.S. Marine Paul Whelan, Wall Street
Journal reporter Evan Gershkovich, Vladimir Kara-Murza, a green-card holder and
a prominent critic of Russian president Vladimir Putin, and Russian-American
journalist Alsu Kurmasheva.
Seleznev, also known by the aliases Track2, Bulba, and nCux, was sentenced in
2017 to 27 years in prison for payment card fraud, causing nearly $170 million
in damages to small businesses and financial institutions in the U.S. He was
subsequently handed another 14-year jail term for his role in a $50 million
cyber fraud ring and for defrauding banks of $9 million through a hacking
scheme.
The other Russian national going home is Klyushin, the owner of security
penetration testing firm M-13 who was sentenced in the U.S. last September for
stealing confidential financial information from U.S. companies in a $93 million
insider-trading scheme.
"Not since the Cold War has there been a similar number of individuals exchanged
in this way and there has never, so far as we know, been an exchange involving
so many countries, so many close U.S. partners and allies working together,"
National Security Adviser Jake Sullivan was quoted as saying.
The development comes as the U.K. National Crime Agency (NCA) announced the
shutdown of a fraud platform called Russian Coms ("russiancoms[.]cm") that
allowed its customers to make over 1.3 million anonymous calls between 2021 and
2024 by masquerading as banks and law enforcement agencies.
Three individuals allegedly linked to the creation and development of the
platform have been arrested and subsequently released on conditional bail. The
caller ID spoofing solution, marketed through Snapchat, Instagram and Telegram,
cost anywhere from £350 to £1,000 and was available as a bespoke handset and,
later, as a web app.
"The platform allowed criminals to hide their identity by appearing to call from
pre-selected numbers, most commonly of financial institutions,
telecommunications companies, and law enforcement agencies," the NCA said. "This
enabled them to gain the trust of victims before stealing their money and
personal details."
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/XqDTjUb
via IFTTT
Posted by Pigram86 at 4:40 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
CYBERCRIMINALS ABUSING CLOUDFLARE TUNNELS TO EVADE DETECTION AND SPREAD MALWARE
Aug 02, 2024Ravie LakshmananMalware / Network Security
Cybersecurity companies are warning about an uptick in the abuse of Clouflare's
TryCloudflare free service for malware delivery.
The activity, documented by both eSentire and Proofpoint, entails the use of
TryCloudflare to create a one-time tunnel that acts as a conduit to relay
traffic from an attacker-controlled server to a local machine through
Cloudflare's infrastructure.
Attack chains taking advantage of this technique have been observed delivering a
cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer,
Remcos RAT, Venom RAT, and XWorm.
The initial access vector is a phishing email containing a ZIP archive, which
includes a URL shortcut file that leads the message recipient to a Windows
shortcut file hosted on a TryCloudflare-proxied WebDAV server.
The shortcut file, in turn, executes next-stage batch scripts responsible for
retrieving and executing additional Python payloads, while simultaneously
displaying a decoy PDF document hosted on the same WebDAV server to keep up the
ruse.
"These scripts executed actions such as launching decoy PDFs, downloading
additional malicious payloads, and changing file attributes to avoid detection,"
eSentire noted.
"A key element of their strategy was using direct syscalls to bypass security
monitoring tools, decrypting layers of shellcode, and deploying the Early Bird
APC queue injection to stealthily execute code and evade detection effectively."
According to Proofpoint, the phishing lures are written in English, French,
Spanish, and German, with the email volumes ranging from hundreds to tens of
thousands of messages that target organizations from across the world. The
themes cover a broad range of topics such as invoices, document requests,
package deliveries, and taxes.
The campaign, while attributed to one cluster of related activity, has not been
linked to a specific threat actor or group, but the email security vendor
assessed it to be financially motivated.
The exploitation of TryCloudflare for malicious ends was first recorded last
year, when Sysdig uncovered a cryptojacking and proxyjacking campaign dubbed
LABRAT that weaponized a now-patched critical flaw in GitLab to infiltrate
targets and obscure their command-and-control (C2) servers using Cloudflare
tunnels.
Furthermore, the use of WebDAV and Server Message Block (SMB) for payload
staging and delivery necessitates that enterprises restrict access to external
file-sharing services to only known, allow-listed servers.
"The use of Cloudflare tunnels provide the threat actors a way to use temporary
infrastructure to scale their operations providing flexibility to build and take
down instances in a timely manner," Proofpoint researchers Joe Wise and Selena
Larson said.
"This makes it harder for defenders and traditional security measures such as
relying on static blocklists. Temporary Cloudflare instances allow attackers a
low-cost method to stage attacks with helper scripts, with limited exposure for
detection and takedown efforts."
The findings come as the Spamhaus Project called on Cloudflare to review its
anti-abuse policies following cybercriminals' exploitation of its services to
mask malicious actions and enhance their operational security by means of what's
called "living-off-trusted-services" (LoTS).
It said it "observes miscreants moving their domains, which are already listed
in the DBL, to Cloudflare to disguise the backend of their operation, be it
spamvertized domains, phishing, or worse."
Found this article interesting? Follow us on Twitter and LinkedIn to read more
exclusive content we post.
from The Hacker News https://ift.tt/C8x6ARv
via IFTTT
Posted by Pigram86 at 3:25 AM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
THURSDAY, AUGUST 1, 2024
THERE IS NO REAL FIX TO THE SECURITY ISSUES RECENTLY FOUND IN GITHUB AND OTHER
SIMILAR SOFTWARE
A recently discovered security issue in GitHub and other, similar, control
system products seem to fit into the classic “it’s a feature, not a bug”
category.
Security researchers last week published their findings into some research of
how deleted forks in GitHub work, potentially leaving the door open for a
malicious actor to steal a project key and then view deleted forks and versions
of any project on GitHub.
This may not necessarily even be a *new* discovery, because users on social
media were quick to point out that these products have always been designed this
way, so it’s not like a new sort of exploit had just been published. But the
publishing of these findings came after Truffle Security says a major tech
company accidentally leaked a private key for an employee GitHub account, and
despite totally deleting the repo thinking that would take care of the leak, it
was still exposed and accessed by potentially malicious users.
This potential issue has not been tested in similar software like GitLab or
Bitbucket, but conceivably, they’ve all been designed in the same way. The major
difference for GitHub is that deleted or unpublished commits can be downloaded
via a fork if the user has the correct identifying hash (or at least a portion
of it).
The issue here is there is no real patch or fix to address this issue, and now
it’s widely known and been publicized on the internet.
GitHub told The Register that this is part of how the software is designed, and
there doesn’t appear any efforts underway to change that.
“GitHub is committed to investigating reported security issues. We are aware of
this report and have validated that this is expected and documented behavior
inherent to how fork networks work. You can read more about how deleting or
changing visibility affects repository forks in our documentation,” the company
said in a statement to online publication The Register.
The lesson for users, especially if you’re a private company that primarily uses
GitHub, is just to understand the inherent dangers of using open-source software
like those projects that are created and managed on GitHub. (Martin Lee and I
will be discussing more in tomorrow morning’s episode of Talos Takes.)
The other option is that, if you’re a GitHub user and at some point, published a
key, you should probably just assume someone has copied it by now. That means
not only deleting references to that key but rotating the key and checking if it
was used improperly.
THE ONE BIG THING
Cisco Talos recently discovered a malicious campaign that compromised a
Taiwanese Government Affiliated Research Institute that started as early as July
2023, delivering Shadowpad malware, Cobalt Strike and other customized tools for
post-compromise activities. The activity conducted on the victim endpoint
matches the Chinese hacking group APT41. The combined use of malware,
open-source tools and projects procedures and post-compromise activity matches
this group method of operation. ShadowPad, widely considered the successor of
PlugX, is a modular remote-access-trojan (RAT) only seen sold to Chinese hacking
groups.
WHY DO I CARE?
APT41 is a prolific and dangerous threat actor that all users and cybersecurity
practitioners should be keeping track of. The group, also known as Amoeba,
Bronze Atlas, Wicked Spider, and more, is known for carrying out Chinese
state-sponsored espionage activity and other financially motivated cybercrimes.
We have also uncovered that APT41 created a tailored loader to inject a proof of
concept for CVE-2018-0824, a remote code execution vulnerability in Microsoft
COM for Windows, directly into memory to achieve local privilege escalation.
SO NOW WHAT?
This threat actor commonly tries to exploit CVE-2018-0824, which Microsoft has
long had a patch available for. Users should ensure all Windows systems are up
to date to the latest version to protect against this vulnerability (and the
hundreds of others that exist in Windows anyway!). Additionally, Talos has
released new ClamAV signatures and Snort rules to detect the ShadowPad malware
and Cobalt Strike beacons used by APT41.
TOP SECURITY HEADLINES OF THE WEEK
Another Microsoft outage just days after the massive CrowdStrike-related
incident was the result of a cyber attack, according to the company. The outage
Wednesday morning affected Microsoft Outlook and the video game “Minecraft” for
almost 10 hours and forced thousands of users to report issues. The incident
gained increased interest in the wake of a massive outage last weekend that
resulted in international disruptions and tens of millions of dollars in
damages. Microsoft stated after the outage was resolved that the initial issue
was caused by a distributed denial-of-service attack, and additional mitigations
to defend against that DDoS attack failed. A notification on Microsoft’s website
said the outage affected Microsoft Azure, the cloud platform that powers many of
its services, and Microsoft 365. It also said cloud systems Intune and Entra
were affected. Even though Microsoft had no direct involvement in the previous
outage, the company has been under a microscope since the incident. That outage
was caused by a faulty update to CrowdStrike Falcon that was pushed to many
versions of Windows 11. (BBC, Forbes)
A new version of the Mandrake Android spyware appears to be spreading through
phony apps on the Google Play store. The revised spyware, used to unknowingly
track users’ location and activity on their mobile devices, has been downloaded
more than 32,000 times since 2022, according to new research. The original
version of Mandrake was active between two periods, one in 2016 and 2017 and
another between 2018 and 2020. Besides the usual spyware functions, Mandrake can
completely wipe a device with a killswitch, leaving no trace of the malware.
Spyware commonly targets highly vulnerable individuals, including politicians,
activists and journalists. Spouses and romantic partners may also use it to
unknowingly track their significant others. The most popular fake app used was
AirFS, an advertised file-sharing app, that was downloaded more than 30,000
times before it was removed from the Google Play store. Once the user installs
the phony app, the Mandrake malware is unknowingly installed, and it asks for
the user’s permission to draw overlays on their screen under the guise of the
illegitimate app. (Bleeping Computer, Security Affairs)
North Korean APT Andariel is accused of carrying out a series of
espionage-focused campaigns targeting U.S. weapon systems over the past two
years. Security researchers say the state-sponsored group targeted healthcare
providers, defense contractors and nuclear facilities, possibly to steal
information that could improve the country’s own weapons programs. North Korea
is constantly using its posession of nuclear weapons to try and intimidate
Western countries. Separately, the U.S. indicted a North Korean citizen for his
alleged involvement in several cyber attacks against American hospitals. The
individual, suspected of having ties to North Korea’s Reconnaissance General
Bureau, allegedly targeted hospitals in Florida and Kansas, healthcare providers
in Arkansas and Connecticut, and a clinic in Colorado. The U.S. State Department
is offering a reward of up to $10 million for information that leads to the
arrest of Rim Jong Hyok. (The Record, CNN)
CAN’T GET ENOUGH TALOS?
* Ransomware and email attacks are hitting businesses more than ever before
* Cisco Talos: An oral history
* Vulnerability Roundup: Out-of-bounds read vulnerability in NVIDIA driver;
Open-source flashcard software contains multiple security issues
* Talos Takes Ep. #192: Threat actor trends and the most prevalent malware from
the past quarter
UPCOMING EVENTS WHERE YOU CAN FIND TALOS
BlackHat USA (Aug. 3 – 8)
Las Vegas, Nevada
Defcon (Aug. 8 – 11)
Las Vegas, Nevada
BSides Krakow (Sept. 14)
Krakow, Poland
MOST PREVALENT MALWARE FILES FROM TALOS TELEMETRY OVER THE PAST WEEK
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent
SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
from Cisco Talos Blog https://ift.tt/ks6LjS3
via IFTTT
Posted by Pigram86 at 2:25 PM No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Feedly, IFTTT
Older Posts Home
Subscribe to: Posts (Atom)
STACKSOCIAL
* Gemini Sound TT-1200 Belt Drive Turntable with USB Interface for $159
* The 2024 AI Super Skills Bundle for $29
* Digital TV Frame Family Premium Plan: Lifetime Subscription for $99
* Undetectable Humanizer: Lifetime Subscription for $39
* The 2024 Makeup, Nail, & Beauty Bundle for $14
SUBSCRIBE TO
Posts
Atom
Posts
All Comments
Atom
All Comments
FOLLOW ME ON TWITTER
DEVOPS & LEARNING SITES
* Chef
* Chef Supermarket
* Code Academy
* Code School
* GitHub
* Mischa Taylor's Coding Blog
* Puppet Forge
* Puppet Labs
* Release Engineer - Alex Vinyar's Site
* Seth Vargo's Site
* StackSocial
* Udemy
* pigram86 on Github
CLOUDSTACK/CLOUDPLATFORM/XEN/XCP LINKS
* Apache CloudStack
* Apache CloudStack Wiki
* Build a Cloud - DIY Cloud
* Chip Childer's Blog
* CloudPlatform Forums
* CloudPortal Business Manager Forum
* CloudPortal Services Manager Forums
* CloudStack Forums
* CloudStack IRC
* David Nalley's Site
* Fly by Product
* How-To-Geek
* Hyperadvisor
* Mark Hinkle's Site
* Remi Bergsma's Blog
* Sebastien Goasguen's Blog
* XenProject
* XenServer Project
TOTAL PAGEVIEWS
016126231336436534644710084993210691150125613521450155216591763185619542061215622592370248025822673276928732954
1,308,712
BLOG ARCHIVE
Blog Archive August (25) July (191) June (163) May (192) April (185) March (174)
February (165) January (174) December (180) November (199) October (208)
September (164) August (152) July (138) June (144) May (149) April (130) March
(6) April (7) February (9) November (1) October (4) June (1) May (2) March (9)
February (8) November (2) July (2) June (14) May (3) April (2) January (2)
December (2) August (97) July (1) June (26) May (9) April (28) February (27)
December (22) November (18) September (20) August (52) July (15) June (29) May
(18) March (75) February (41) January (22) December (16) November (28) October
(37) September (53) August (36) July (52) June (49) May (1) April (63) March
(107) February (109) January (89) December (39) November (94) October (38)
September (76) August (143) July (107) June (159) May (252) April (197) March
(247) February (169) January (193) December (209) November (220) October (233)
September (354) August (222) July (281) June (234) May (373) April (320) March
(274) February (312) January (290) December (335) November (527) October (484)
September (435) August (199) July (241) June (228) May (277) April (243) March
(297) February (173) January (209) December (223) November (215) October (269)
September (252) August (400) July (239) June (239) May (238) April (259) March
(172) February (259) January (165) December (150) November (189) October (274)
September (219) August (92) July (42) June (14)
Todd Pigram. Awesome Inc. theme. Powered by Blogger.
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk